Simplify keystore setup using the system keystore

You can simplify access to certificates on Db2 servers and clients by using the Microsoft Certificate Store (MSCS) on Windows. In addition, Db2 clients running on Linux and AIX platforms can simplify certificate setup by interfacing with the system certificate bundle.

Accessing the MSCS on Windows platforms

The MSCS can be used to store both root certificates and endpoint certificates. If Windows servers on your Db2® network are already using MSCS, it can save you the time and effort of creating your own keystores.

You access the MSCS through the Internet Options dialog box (for example, Control Panel > Internet Options). By clicking the Contents tab and then Certificates, you can access all of the certificates that are contained in the MSCS.

The following certificates are included in the MSCS:
  • Personal certificates that are issued to the current user account.
  • Certificates that are assigned to other users on the current server.
  • Intermediate and Root certificate authorities (CAs).
  • Trusted and untrusted publishers of certificates.
  • Certificates present on smart cards.
    Note: Support for certificates present on smart cards is available in Db2 11.5.4 and later.
Important: Entries in the Friendly Name column equal the Label values that are found in a certificate file or keystore. Watch for duplicate Friendly Name values as only the first occurrence is used by the MSCS.

You can import or export certificates and certificate chains by using the Internet Options dialog box or the IBM Global Security Kit (GSKit) command-line tools. To use the IBM Global Security Kit (GSKit) command line tools to access the MSCS, enter -db GSK_MS_CERTIFICATE_STORE as the target database.

Integrating Db2 with the MSCS

To get IBM Global Security Kit (GSKit) to recognize the MSCS as a key database:
  1. Log in to your Db2 server as the Db2 instance owner and set the following DBM CFG configuration parameters:
    SSL_SVR_KEYDB  GSK_MS_CERTIFICATE_STORE
SSL_SVR_STASH  NULL
  2. On a Db2 client, set the client keystore value to GSK_MS_CERTIFICATE_STORE.
    • Do not set either the client keystore password nor the stash file when using the MSCS.
    • On Db2 installations with KI DT172470, to access certificates on a smart card, set the client keystore value to MSCNG.
    • If the client is configured using the DBM CFG parameters, set the following DBM CFG parameters:
      SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE SSL_SVR_STASH NULL
    • If the client is configured by using either the db2cli.ini or a connection string, set the SSLClientKeystoredb keyword and remove the SSLClientKeystoreDBPassword and SSLClientKeystash keywords: 
      SSLClientKeystoredb=GSK_MS_CERTIFICATE_STORE
    • If the client is configured by using the db2dsdriver.cfg file, set the SSLClientKeystoredb keyword and remove the SSLClientKeystoreDBPassword and SSLClientKeystash keywords: 
      <parameter name="SSLClientKeystoredb" value="GSK_MS_CERTIFICATE_STORE"/>
Note: GSKit works with certificates that are associated with the current user account, not the computer account.

Integrating the system certificate store on Linux and AIX with IBM Global Security Kit (GSKit)

In Db2 releases that contain KI DT244530, the Db2 Simplified SSL feature supports certificate bundles. To integrate Simplified SSL with the system certificate bundle, the SSLServerCertificate parameter must be set to one of the following values, depending on the platform.
For Red Hat Enterprise Linux (RHEL) platforms
/etc/pki/tls/certs/ca-bundle.crt
For SUSE Linux Enterprise Server (SLES) platforms
/etc/ssl/ca-bundle.pem
For Ubuntu platforms
/etc/ssl/certs/ca-certificates.crt
For AIX platforms
/var/ssl/certs/tls-ca-bundle.pem
For more information, see SSLServerCertificate IBM data server driver configuration keyword.